A new and sophisticated remote access trojan (RAT) named STX RAT is posing a significant cybersecurity threat in 2026. This malware expertly blends covert remote desktop capabilities with credential-stealing features, allowing attackers to silently compromise targeted systems. The malware’s unique identifier is a “Start of Text” (STX) magic byte, encoded as x02, which it prepends to all communications with its command-and-control (C2) server, highlighting the precise nature of its design.
The initial observation of STX RAT occurred in late February 2026, when threat actors attempted to infiltrate an organization within the financial sector. Their method involved a VBScript file, downloaded via a web browser, which subsequently deployed a JScript file. This JScript then retrieved a TAR archive and utilized a PowerShell loader to inject the final malicious payload directly into system memory. By early March, security researchers at Malwarebytes identified a separate campaign distributing STX RAT through trojanized FileZilla installers, indicating that the operators were already employing multiple distribution methods concurrently.
Researchers from eSentire’s Threat Response Unit (TRU) were instrumental in identifying and analyzing STX RAT following the late-February incident. Their investigation uncovered a technically advanced implant equipped with robust defenses against analysis. These include artifact checks designed to detect the presence of virtualized environments such as VirtualBox, VMware, and QEMU. If such artifacts are detected, the malware executes a “jitter exit,” which involves a random delay before terminating, thereby complicating automated analysis in sandbox environments.
In addition to its anti-virtualization measures, STX RAT employs an AMSI-ghosting technique. This involves patching a critical Windows RPC function, effectively disabling a security layer that many security tools rely on to scan running processes. The malware also conceals its terminal window from the standard Alt+Tab switcher and the Taskbar, further enhancing its stealth capabilities. Once activated, the implant establishes communication with a C2 server located at 95.216.51.236. It then transmits an initial message containing vital system information, including the hostname, username, operating system version, administrator status, installed RAM, and a list of detected antivirus products.
All communication channels between the RAT and its C2 server are secured using an ECDH key exchange protocol facilitated by X25519 and ChaCha20-Poly1305 authenticated encryption. This renders decryption extremely improbable without possessing the specific session keys. The infostealer module within STX RAT is designed to target saved credentials from applications such as FileZilla, WinSCP, and Cyberduck, which are commonly used by developers and IT administrators. Following data theft, the malware captures a desktop screenshot, providing attackers with direct visual confirmation of the compromised machine’s contents.
Hidden Remote Desktop Control: How STX RAT Operates Silently
One of the most concerning features of STX RAT is its Hidden Virtual Network Computing (HVNC) module. This component grants threat actors complete interactive control over a victim’s machine without the user’s awareness. Unlike conventional remote desktop software that visibly takes over the user’s primary display, HVNC establishes a distinct, separate desktop session that operates invisibly in the background. All attacker activities, such as browsing websites, accessing files, or launching applications, occur within this hidden layer, remaining completely undetected by the victim.
.webp)
The HVNC functionality is initiated through a `start_hvnc` command sent from the C2 server. Once active, attackers can simulate user input using commands such as `key_press` for keystrokes, `mouse_input` for mouse movements, and `mouse_wheel` for scrolling. They can also paste content directly into applications via the `paste` command, all of which leverage the Windows SendInput API. A `switch_desktop` command enables operators to manage multiple hidden desktop sessions simultaneously. Upon completion of their activities, commands like `connection_lost` and `channel_closed` are used to quietly terminate sessions and remove desktop handles without leaving discernible traces.
This sophisticated architecture elevates STX RAT beyond the capabilities of typical credential-stealing malware. While the victim remains occupied with their visible tasks, an attacker can concurrently log into internal systems, exfiltrate sensitive files, or deploy additional malicious payloads within the hidden session. When combined with its credential-harvesting module, the HVNC feature transforms an initial breach into a persistent, difficult-to-detect, and hard-to-eradicate foothold within the victim’s network.
Security teams are advised to immediately block the known C2 IP address, 95.216.51.236, and its associated Tor onion address at their network perimeters. Implementing YARA detection rules, as provided by eSentire’s TRU, for both the unpacked payload and loader is recommended to identify infections in memory. Monitoring for elevated WScript executions involving JScript files within temporary directories and suspicious PowerShell STDIN executions can aid in detecting early-stage infections. For organizations where VBScript and JScript are not essential for operational functions, disabling them entirely can significantly reduce the initial attack surface available to threat actors.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
